From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 26 23:58:12 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1EF12784 for ; Thu, 26 Mar 2015 23:58:12 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0302EEC0 for ; Thu, 26 Mar 2015 23:58:11 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 539CCE0AD; Thu, 26 Mar 2015 16:58:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1427414291; x=1427428691; bh=e25IvTiFdkgbzBWaTNaRTMnMNtfmEq49Uk0964+Z5Fw=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=AmQRpUwYRuisI5ZdiniQo2II0nhjYxIK73wxuSu0akzyB9dN3Pi5EVDogcIsWNE6n d190/Ao4Lh920uh/uE4T3OVWv7SEAwBHxTersOxUwYqVPhyalJ/XuUkBdpAcTQqWdE soW6QxniTO4/dvRYf0gi+tE5mZ95+2nrOwPdvvmE= Message-ID: <55149D12.6070602@delphij.net> Date: Thu, 26 Mar 2015 16:58:10 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: Pedro Arthur , "" Subject: Re: GELI support on /boot folder References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2015 23:58:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/18/15 11:50, Pedro Arthur wrote: > Hi, I was discussing with Kris Moore about adding support for GELI > in bootloader as a GSoC project, thus the /boot folder could be > encrypted. What's the benefit of encrypting /boot? If it's encrypted, will the system use only passphrase to unlock the storage, instead of the combination of both passphrase and a key file? (Use passphrase only is a bad idea because that would mean we essentially encrypt different data with the same key, if two encrypted providers both use the same passphrase. This is probably not a big deal for single disk systems like a laptop system but could have bad consequence if it's used in larger scale). Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVFJ0QAAoJEJW2GBstM+nsiPAP/icF4pbVf5yosxErQKQHd2nm /0Kf0uurpcYCvQgzU6F4Y1vDonGEZgQV6Iyl0Xq5NgvKWYowp2gl6289/Qndnk0m QPDSEAfrmkoNSoTUV6KLuV/3q2aBZdZFKSWhQdJLbPHWpqVGrisbqmFmPaNafhoC 1Y62gvaA+u1r+IxGMVTedz7PErA2//jEF1PcnMKM6L5K7m9YIf5L8UgVkqWBXDtR nc6pDryvdLvm9m+T8b1CN0EYeqYGQrpql0SCZR7GkTfWwev1X/23oZYmCgtUuft8 FIj0loQc9A2jZ0cZ9aYhpAFxiLVJjB19b3cCkEtbc+9U+wcyTo1BayC3G9t8ZI5g VIx/I9lssZ07onVUu50C70IGbI+tB9Hjo+pA/76RIhzg93JfNpCJ1/Lqfcq3IzqB UUYgqnPf3+oV+OipmTUfG0/gYsBk5TpYEmAv3wpoatNRNwrofFMAGQLeVvLEGJ2a 5n8v8kZfSPXtI/8WE8EZKEP8iGPYiOHm0vujkVMJStWYwS8H9Z+y1zWGodcnO5Jq 7J+K1776WGWDGVetL3S3Ma+UjtCd9K3y+HJWHjYRhpFJsKi38Ur9o9p5U6F7r5M1 PbGnf6dZNVUAZJYBQgKXMpHbWmCuU9KLXUX1NtCfGqhx4BVXmU7e0/EmPFafbeGm FD5SwR3r9khIEoNFSgrK =+O3x -----END PGP SIGNATURE-----